Your message dated Mon, 23 Mar 2026 22:49:11 +0000
with message-id <[email protected]>
and subject line Bug#1131463: fixed in ruby-json 2.19.2+dfsg-1
has caused the Debian Bug report #1131463,
regarding ruby-json: CVE-2026-33210
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131463: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131463
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-json
Version: 2.19.1+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-json.
CVE-2026-33210[0]:
| Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to
| before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string
| injection vulnerability can lead to denial of service attacks or
| information disclosure, when the allow_duplicate_key: false parsing
| option is used to parse user supplied documents. This issue has been
| patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33210
https://www.cve.org/CVERecord?id=CVE-2026-33210
[1] https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
[2] https://github.com/ruby/json/commit/393b41c3e5f87491e1e34fa59fa78ff6fa179a74
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-json
Source-Version: 2.19.2+dfsg-1
Done: Simon Quigley <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-json, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Quigley <[email protected]> (supplier of updated ruby-json package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 23 Mar 2026 17:27:50 -0500
Source: ruby-json
Built-For-Profiles: derivative.ubuntu noudeb
Architecture: source
Version: 2.19.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Simon Quigley <[email protected]>
Closes: 1131463
Changes:
ruby-json (2.19.2+dfsg-1) unstable; urgency=medium
.
* Team upload.
* New upstream release (Closes: #1131463).
- Fixes CVE-2026-33210.
Checksums-Sha1:
3faab1eac36a028d5a79532a28593e2608144621 2164 ruby-json_2.19.2+dfsg-1.dsc
cf4eab8675f3ecb46ada37c7dfd64a7089e867f5 570844
ruby-json_2.19.2+dfsg.orig.tar.xz
165e8a75e8e13b6234b10fa311d520d515be7d96 8648
ruby-json_2.19.2+dfsg-1.debian.tar.xz
a7b491e0134388a4ae801cb1e849f006879a481d 7383
ruby-json_2.19.2+dfsg-1_source.buildinfo
Checksums-Sha256:
c95785e060a610c7b1fb81167180489e0b3359b306e8a1b46ca94c6570425861 2164
ruby-json_2.19.2+dfsg-1.dsc
3ded48275d8fe5405c0f665b867de86ff0159affea2c2035bc5c24f5df4c2899 570844
ruby-json_2.19.2+dfsg.orig.tar.xz
10e03b224041c9c1aeea862c5d31392aed792bfb702092af730cdb578cb1b923 8648
ruby-json_2.19.2+dfsg-1.debian.tar.xz
2833de3eeae105995bab461d0ccb0c4a3c3a23daf05fed22edb03deb4d11d67a 7383
ruby-json_2.19.2+dfsg-1_source.buildinfo
Files:
e0d18a61b91f3ca417239f09f5d1923b 2164 ruby optional ruby-json_2.19.2+dfsg-1.dsc
f6b903d6132848bcc8d1fa736012a527 570844 ruby optional
ruby-json_2.19.2+dfsg.orig.tar.xz
d8dde67cca5d04bdd4840030d347b55c 8648 ruby optional
ruby-json_2.19.2+dfsg-1.debian.tar.xz
24b13ff4f949c8dee95fd66dd7632f38 7383 ruby optional
ruby-json_2.19.2+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXHq+og+GMEWcyMi14n8s+EWML6QFAmnBvnwACgkQ4n8s+EWM
L6Tm8g/+OT/665Q0bKV7X4eXOfLT3b5uWC5Dgi3CtLLgqNwRqMEz2oEo455m/pop
n/W50FbKXIrhC1b2gHuFKrasvbCK9emaOrjQyW/rL1LU9zWg30rILZgXPIicgRU9
3Gz6vBFP7qMpSufZg9lTw4xo6qGiqZCYsOZ1jy7Dc3w/VA74tIHtU5pBKY8+zZ3J
Itg5uE+VKtlJ53xrPK5hfGv99BSJngDrBVy3xEl0OoCl/28Yqg7NSQu/YGIFY1Kn
Q4Xq30JhYs82wHoz0PeBnRAkZYGuBUhu85TwJNxJ+A/oAK1wvOAPqIUSJyB29Ncw
oITUHHzt9H1HfocdaaxiGJG3aeYGp4pUB3bSuIjjfucC7VG6/5weooj6Yd6XjKch
u5m6ivAU/1Z6aNv/rfMmNlCla3cKD2PEXu0csDFo/CxafjSC7kk8fhOWTbmCbjyf
eIgbJSQ1H6vDlS1qRpEbHdyKsnoxAKUJtX0PdS1o7ljBfbZEffz/WP24ogtMqsyM
Ieuk2anlm3sjJz7lecylRclVIM8CurPTzbXhx2ZqgsYE4UGGbmJv91JZSkGU8t0t
duD1kfCiubKaGoM+AolfNWuY4seGku2IhqXpUrM9cglh+rf1OZNMup4NtuLjJC/g
uwdUg4qvSklZ01+WHsgyFi6Fj1PeemnXqJf+ywYE+4YCI0T8XmE=
=IuPk
-----END PGP SIGNATURE-----
pgp9WZp9XBQl1.pgp
Description: PGP signature
--- End Message ---
